On Wed, 24 Sep 2003 15:29:10 +1200 Matthew Gregan <[EMAIL PROTECTED]> wrote:
> On Wed, Sep 24, 2003 at 03:09:01PM +1200, Nick Rout wrote: > > and with a NAT router/modem they do get that protection to a large > > degree. Nothing gets in without a pinhole set by the user (same as ipcop) > > or a flaw in the router (possible, also possible with ipcop). > > > nevertheless most people are quite safe from outside connections > > behind a NAT router/modem. > > You seem pretty sure about this. > it depends on your degree of paranoia. if people on the inside are running stuff like kazaa, icq, msn, spyware, etc then there are security risks. I do know that nat is not state of the art firewalling. however behind a nat box you cannot have code red or similar attack your box. by "similar" I mean an attack that connects to a port on your box and compromises via a vulnerability. there is still a possibility of compromising the nat box, and its not as easily upgraded as, eg, an ipcop box. there is still the possibility of someone pinging the crap out of your nat box and eating your bandwidth. there is still the possibility of someone compromising a wireless device on your lan and eating your bandwidth/launching nasty attacks/spams from your lan. many corporate style firewalls prevent outwards packets on a port by port and even machine by machine basis (why let your staff use any port other than 80, 443?? why let any machine other than the mailserver get out on port 25?). your average nat router won't do that (linux can, but ipcop doesn't). since i started writing this matthew commented on "source routed packets" - i had to try and work out what that meant! I guess it depends on the tcpip stack in the router. pass. I didn't say nat boxes were perfect, I said they offer a reasonable level of protection. i look forward to Matthew expanding on this, for the education of us all. > -mjg > -- > Matthew Gregan |/ > /| [EMAIL PROTECTED] > -- Nick Rout Barrister & Solicitor Christchurch, NZ Ph +64 3 3798966 Fax + 64 3 3798853 http://www.rout.co.nz [EMAIL PROTECTED]